4-4 Understanding Security for Oracle WebLogic Server used to remote applications. These security providers need this information to be available in a database in order to function properly. The security provider database can be the embedded LDAP server as used by the WebLogic security providers, a properties file as used by the sample custom security providers, available on the Web, or a production-quality, customer-supplied database that you may already be using. The security provider database should be initialized the first time security providers are used. That is, before the security realm containing the security providers is set as the default active security realm. This initialization can be done: ■ When a WebLogic Server instance boots. ■ When a call is made to one of the security providers MBeans. At minimum, the security provider database is initialized with the default groups, security roles, security policies provided by WebLogic Server. For more information, see Security Providers and WebLogic Resources in Developing Security Providers for Oracle WebLogic Server.

4.6.1.2 Security Realms and Security Provider Databases

If you have multiple security providers of the same type configured in the same security realm, these security providers may use the same security provider database. This behavior holds true for all of the WebLogic security providers and the sample security providers that are available at the https:www.samplecode.oracle.comtrackertrackinglinkidprpl10 04?id=S224 on the Oracle Technology Network OTN. For example, if you configure two WebLogic Authentication providers in the default security realm called myrealm, both WebLogic Authentication providers will use the same location in the embedded LDAP server as their security provider database, and thus, will use the same users and groups. Furthermore, if you or an administrator add a user or group to one of the WebLogic Authentication providers, you will see that user or group appear for the other WebLogic Authentication provider as well. Custom security providers that you develop or the custom security providers that you obtain from third-party security vendors can be designed so that each instance of the security provider uses its own database or so that all instances of the security provider in a security realm share the same database. This is a design decision that you need to make based on your existing systems and security requirements. For more information about design decisions that affect security providers, see Design Considerations in Developing Security Providers for Oracle WebLogic Server. Note: The sample custom security providers are available at https:www.samplecode.oracle.comtrackertrackingl inkidprpl1004?id=S224 on the Oracle Technology Network OTN. Note: If you have two WebLogic security providers or two sample security providers of the same type configured in two different security realms, each will use its own security provider database. Only one security realm can be active at a time. Security Realms 4-5

4.6.1.3 Embedded LDAP Server

WebLogic Server uses its embedded LDAP server as the database that stores user, group, security roles, and security policies for the WebLogic security providers. The embedded LDAP server is a complete LDAP server that is production quality for reasonably small environments 10,000 or fewer users. For applications that need to scale above this recommendation, the embedded LDAP server can serve as an excellent development, integration and testing environment for future export to an external LDAP server for production deployment. The embedded LDAP server supports the following access and storage functions: ■ Access and modification of entries in the LDAP server ■ Use of an LDAP browser to import and export security data into and from the LDAP server. ■ Read and write access by the WebLogic security providers. Table 4–1 shows how each of the WebLogic security providers uses the embedded LDAP server.

4.6.1.4 RDBMS Security Store